Any views on user and session management?

Portal Home > Knowledgebase > Articles Database > Any views on user and session management?

Posted by tim2718281, 02-04-2010, 01:28 PM
One of the requirements of some web sites is to enable users to register, sign in, and have the fact they have signed in remembered for a while. Does anyone have any experiences, ideas, references, (even code!) they'd like to share? I'm thinking: it ought to be possible to set up an "empty" web site, that has the user registration, sign in, session management, password management, data backups, etc. already set up. So when others want to set up a new web site, they could simply start from there. But maybe someone has done it already ...
Posted by Steve_Arm, 02-04-2010, 01:48 PM
Check some of the existing PHP frameworks like CakePHP or CodeIgniter, they are good to get you started, of course if you have experience with the language.
Posted by cygnusd, 02-04-2010, 03:52 PM
IMO, given the requirements outlined, Django would be the perfect solution. Checkout Pinax or the individual reusable Django apps (scattered around github, googlecode, bitbucket). They already handle for you things like registration, authentication (even with social networks such as Twitter/Facebook), password management (recovery/reset), and a lot more. See http://pinaxproject.com/ That is, if you'd want to get your feet wet with Django and Python, which is a mature and very flexible framework. All my recent web apps have so far been built using Django. If PHP is your thing, you might want to consider the PHP frameworks mentioned by @Steve_Arm, or try out the mature CMS frameworks such as Drupal.
Posted by tim2718281, 02-04-2010, 04:48 PM
Oh! I'm thinking in terms of two or three programs of maybe 100-200 lines each! The programming language doesn't matter.
Posted by cygnusd, 02-04-2010, 08:14 PM
Then a CMS is what you need. By using the mature, well-engineered ones such as Drupal, Joomla and the likes, much is already available to you and you can get away without coding anything by using modules and templates/themes.
Posted by mattle, 02-05-2010, 01:41 PM
Tim, I think if you could be more specific about the application of this sort of "empty web site" concept, that would help out a lot. For example, if this was for a web hosting company that wanted to start new users out with a built-in authentication tool, you would want some sort of Control Panel where they could add users, change passwords, etc. Then, you'd have to provide an API that they can use on the areas that are password-restricted that would verify the session or route to a login.
Posted by tim2718281, 02-05-2010, 02:33 PM
Ah, OK. This is for programmers. It's for programmers developing their own web sites for their own use. The kind of authentication control I'm think of is the kind used by Yahoo, Facebook, etc; not the more secure mechanisms used by banks and so on. And I'm not thinking in terms of multiple privilege levels. The idea is to set up a web site that has user registration, authentication, session management, to be used as a starting point. The code should follow "best practice". For the user interface side, that would I guess be whatever Hotmail, Yahoo, Google etc do for user account management. For session management, I think that means storing a encrypted identity and authentication information in a cookie. Because cookies are stored on users' machines, the code needs to be able to cope with changes in cookie formats - that is, the cookie should contain versioning information. I'm assuming info will be stored in a database; so the database access information should be stored in whatever is the best way to store it. Database name and table names should be configurable. I think encryption keys could be stored there too So - having got all that in place for free, the programmer can start developing the web site. I don't want to make any assumptions about what role authentication will play in the web site being developed. However, I expect there will be a program function to check if the user has signed in, with an option to generate a sign-in dialog if the user has not signed in.
Posted by squirrelhost, 02-07-2010, 01:26 PM
one simple way, if you want like 'yahoo' is to have a separate login server which sets cookies (not session). any web app (or web site) where it detects no cookie (i.e not logged in) redirects to the login server where user can log in. like yahoo, append a ".done" to each redirect, telling login server where to send the user when login is finished. so any new web app, simply: 1. checks for cookie (fairly standard anyway) 2. no cookie? redirect to login server, passing current page 3. login server assigns cookie, sends back to web app current page also means integration with any new web app (or web site) is fairly trivial: code to check cookie, code to redirect, and little technical knowledge required on that side
Posted by tim2718281, 02-07-2010, 03:53 PM
OK, this seems to be a single-sign-on technique, yes? Has anyone here used any single-sign-on services for their web sites? What experiences can you share?